Cybersecurity (Apache Log4j) Vulnerability Guidance

22 December 2021

On December 10, 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and others announced a critical remote code execution vulnerability in many versions of Apache’s Log4j software. Log4j is a java-based logging utility incorporated in frameworks, websites, and applications, and is widely used by major cloud services and well-known software vendors and manufacturers. According to senior cybersecurity professionals, this vulnerability is very serious.  

Cybersecurity threat actors are actively exploiting Log4j vulnerabilities. Successful exploitation of a vulnerability can be used to deploy ransomware, steal data, and disrupt operations.

All regulated entities should promptly assess risk to their organization, customers, consumers, and third party service providers based upon the evolving information and take action to mitigate risk. Organizations are urged to review and monitor the Apache Log4j Security Vulnerabilities web page for updates and mitigation guidance. 

Regulated entities are reminded to report cybersecurity events that meet the criteria certainly reference our data breach notice act (9 V.S.A. 2435) and DFR Bulletin #4.

Contact Information

Department of Financial Regulation
Consumer Services 
89 Main Street, Montpelier, VT 05620 - 3101

802-828-3301
833-DFR-HOTLINE (toll free)
833-337-4685 (toll free)

Public Information
For public records, media inquiries, and press releases visit our Public Information web page

Twitter icon
Facebook icon
LinkedIn icon

Employee Information